Microsoft gets busy on fix for IE watering hole attack

(Phys.org)—Microsoft has published a security advisory about a vulnerability in Internet Explorer 6, 7, and 8. "We are only aware of a very small number of targeted attacks at this time," a Microsoft team blog said. The company acknowledged the vulnerability in its Microsoft Security Advisory (2794220) published on Saturday. Reports about the problem pointed to affected users who had visited the Council of Foreign Relations (CFR) website. According to network security company FireEye, "we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21."

CFR is described as a nonpartisan think tank focused on American foreign policy and international affairs. FireEye said the initial JavaScript hosting the exploit only served the exploit to browsers with an OS language as either U.S. English, Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

Microsoft described the nature of the vulnerability as a "remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Outside Microsoft, security bloggers are referring to the attack on the CFR website as a "watering hole attack." In this type of activity, the attackers identify specific targets and scout out which sites they frequently visit. Attackers then plant malware on them. As Kaspersky Lab's Threatpost similarly explains, it is "where a website frequented by topically connected subjects is infected with malware hoping to snare those site visitors in drive-by attacks."

Symantec views the metaphor of a watering hole fitting, as "the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer."

Microsoft has responded with mitigations and workarounds. The company said the IE team is working on a security update but in the interim it recommended that IE8 customers block the current attacks by disabling Javascript, which will prevent the vulnerability from being triggered initially, and disabling Flash, which will prevent ActionScript-based heap spray from preparing memory such that the freed object contains exploit code. Microsoft said also that "disabling the ms-help protocol handler and ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain." Microsoft is working on a Fix-It protection tool as well as security update.

Users of IE9 and 10 are not susceptible to the attacks. "We want to reiterate the IE9 and IE10 are not affected and that we currently see only very targeted attacks," Microsoft stated.

Related Stories

(Phys.org)—More than a few Internet Explorer users stand vulnerable to fresh attacks of Poison Ivy. In the latest headline in the "Internet Explorer has a flaw" saga, a security hole in Internet Explorer ...

(Phys.org) -- Confirm, warn, patch. Microsoft has had a busy week, this being the week of Patch Tuesday, an event held on the second Tuesday of the month, when Microsoft releases security patches. On this ...

Recommended for you

Microsoft has opened up the (literal) windows, called in creatives, and has been engineering a next-generation browser. Project Spartan is to reflect the general mood of fresh air at Redmond. Although "Project ...

South Korea's top mobile messenger operator launched a new web-based cab-hailing service Tuesday to compete with California-based Uber, whose service has been subjected to crackdowns from state regulators.

Until the Linux was desktop system only, nobody did take care of it and the number of its viruses was low. When it did become the basis of Android system, then the number of its viruses raised steadily and the Open Source platform doesn't help against it at all. This may serve as an evidence, the number of viruses actually depends on the number of users, not quality of operating system. Simply because every protection can be compromised (as RIAA and similar agencies know very well).

Until the Linux was desktop system only, nobody did take care of it and the number of its viruses was low...the number of viruses actually depends on the number of users, not quality of operating system. Simply because every protection can be compromised (as RIAA and similar agencies know very well).

For starters, your link... let's just say the author of that blog post doesn't know the difference between a virus, worm, trojan, or water buffalo. People who repeatedly misuse jargon rarely know enough to be writing on a subject.

Quality matters. Operating systems can be extraordinarily insecure (e.g. Win 9x) or much more difficult to infect (e.g. debian selinux good configuration). IE 5-8 were rife with security holes and easily targeted. I suspect they are still in widespread use in .gov systems

To me, the interesting part is that they used CFR and a zeroday? CFR has a great readership. Ask a dozen political staffers in DC or Beijing and you'll find a subscriber.